CVE-2015-2424 | Microsoft Office - PowerPoint/Word Operational Intel

Executive Risk Summary

"A memory corruption vulnerability exists in Microsoft Office that allows remote attackers to execute arbitrary code or cause a denial of service via a crafted Office document. This vulnerability affects various versions of Microsoft Office, including PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1."

Anticipated Attack Path

1. Phishing or social engineering to deliver the crafted Office document
2. User opens the malicious document, triggering the vulnerability
3. Arbitrary code execution or denial of service

Am I Vulnerable?

Verify that all Microsoft Office versions are up-to-date with the latest security patches
Implement email and web filtering to block malicious documents
Educate users on the risks of opening attachments from unknown sources

Operational Audit Arsenal

Target Type Process

Target Asset powerpnt.exe

Standard Path C:\Program Files\Microsoft Office\Root\Office16

PowerShell

# 🛠️ Senior Engineer Universal Audit
# Target: powerpnt.exe (Process)
$Targets = 'powerpnt.exe'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}